Let's look at some basic kubectl output options.
Our intention is to list nodes (with their AWS InstanceId) and Pods (sorted by node).
We can start with:
kubectl get no
Ludo spiarh
Neo23x0
/ log4j_rce_detection.md
Last active
April 11, 2025 22:49
Log4j RCE CVE-2021-44228 Exploitation Detection
You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders
sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import re | |
| from urllib.parse import unquote | |
| FLAGS = re.IGNORECASE | re.DOTALL | |
| ESC_DOLLAR = r'(?:\$|[\\%]u0024||\\x24|\\0?44|%24)' | |
| ESC_LCURLY = r'(?:\{|[\\%]u007B|\\x7B|\\173|%7B)' | |
| ESC_RCURLY = r'(?:\}|[\\%]u007D|\\x7D|\\175|%7D)' | |
| _U_PERCENT_ESCAPE_RE = re.compile(r'%(u[0-9a-f]{4})', flags=FLAGS) | |
| _PERCENT_ESCAPE_RE = re.compile(r'%[0-9a-f]{2}', flags=FLAGS) |